When I ask them to elaborate on their own businesses, and that I point out some risks, I’m quite often told that they are aware of the risk, but they clearly consider that mitigating these risks is the last stage of development. You start with building a great product, you spend endless amount of time iterating to make it better, and then one day, you will probably have a security epiphany and you will start “doing cybersecurity”. 

I think they’re wrong. From my experience, you start with building a great product, you iterate to make it better, you look for customers along the way, and then you build this feature you promised you would never build because client X that makes most of your revenue wants it yesterday, and then you deal with user feedback and demands and whatnot, and… your security epiphany is often losing a contract because big account Y sends you a security questionnaire and you have none of the answers. And this is the best case scenario – the worst case being an actual data breach or cyberattack.

If you are lucky, your CTO has some clues about security and will implement stuff the right way, but here is the thing: all companies consider themselves too early in the process to start thinking about the security. What I hear most is “we are not doing it at the moment ; but we will when we grow !”.

And I get that. This is a very common paradox that goes way beyond security. You know that you should spend 10 minutes a day tidying your living-room but guess who is going to panic-clean on Sunday morning because your in-laws will arrive home in one hour ? Security is the same. It’s always easier to do thing right from the beginning, but it’s not rewarding to do so. And this goes especially when running an early stage startup.  Security is process, while you are yearning creativity and seamlessness ; it’s cost, when you aim at becoming profitable ; it takes a “what could go wrong” mindset when you so desperately need optimism to keep going.

20.000 miles under the sea

But you know you need it, of course. I’m not going to write the usual paragraph about the cost of a data breach, or  GDPR fines, because I don’t think it’s how you should think about security. The reason you need security is for pure, sheer business reasons.

I like to think of security as your scubadiving outfit. Building a startup is a bit like exploring the bottom of the ocean. There is a ton of unveiled potential, exciting treasures that may be waiting for you, and the deeper you go, the more promising it gets.

But you cannot just dive 20 000 miles under the se ajust because you want to get there. If you hold your breath, you might be able to dive some meters. With a tuba, you still cannot go very deep, but you can stay longer and explore. Get a scubadiving outfit and some hours of training, and suddenly you are 50-100 meters under the surface, and free to explore for way longer. And one day, if you build the right submarine, you might end up finding this treasure no one has found before. 

The same applies to security. Are you planning on doing disruptive AI-based behavioral analysis on healthcare data? With the right security measures, no one is stopping you, and the barrier to entrance will be high enough to get you ahead of competition for a while. It’s the same if you want to get that big customer: their security demands will be higher than you regular SMB, so will the price they are willing to pay.

Of course, you need to get the right outfit at the right moment. You’re not going to buy a submarine to explore the lake 20 kms from home. And you’re not going to run pentests on the prototype that is supposed to get you some pre-seed money. But not buying the tuba because you plan to get the whole submarine at once when your company grow is going to take a lot more time and money than you expect ; and you will be missing opportunities while catching up.

Let me get give you the dumbest example. One of the basics of security is that you cannot protect what you don’t know about. And, trust me, it’s harder than it sounds (I recently spent more than 6 weeks at a big customer doing back and forth about specific parts of their Active Directory because nobody was able to know what machines were located in there, and who was in charge of making sure they were secure).

But you are a startup ! You probably have X and X, your codebase is still quite knew and, sure enough your CTO STILL knows all parts of the project. If you start with a robust asset management process, you may not end up trying to remember who mentioned they have a PoC running with Solaris one year from now, or if you still run that outdated version of Drupal for that one customer who is not willing to upgrade.

The right diving outfit

This is what this series of blog is about: trying to assess the right diving outfit for the right project, and building a business-centric approach of cybersecurity for the startup stage, that follows the main stages of building a startup. What should you do when crafting your business plan? When developing your prototype with freelance developers? When hiring your core team? When getting your first customers? Our common goal should be to maximize what you get from security, while minimizing costs and efforts. I hope you’ll find this worth it.

Sign up now so you don’t miss the first issue.

Subscribe now

In the meantime, tell your friends!